In the past, application teams would be required to code from scratch, from building an application to releasing a new version, at best, every one or two years using standard shipping distribution methods. Today, application teams often use third-party open-source resource libraries and the cloud to get their products into the hands of users. These methods have sped up development to the point where application teams can release much faster, such as once a month or once a week.
Information security has had to adopt a new model to span the application lifecycle to keep up with the development speed, new technologies, and infrastructure changes.
At Palo Alto Networks, we use the Code & Build, Deploy, Run (CBDR) framework. With this approach, you have four phases to prevent misconfigurations that can lead to vulnerabilities.
The phases are
This article focuses on the CBDR framework's final phase, the Run phase. If you want to start from the first phase, you can read about the Code & Build or Deploy lifecycle phases by clicking the blog links above.
Even though most successful exploits and breaches result from misconfigurations and vulnerabilities introduced in the Code & Build or Deploy phases, maintaining security is still crucial in the Run phase because vulnerabilities and exploits can be introduced in any phase of the application lifecycle. Run focuses on securing your workloads in the cloud with your security infrastructure, maintaining network security, and keeping an eye out for breaches, given that assets have already been deployed and are now externally facing.
Figure 1 - use cases of Prisma Cloud during the Run Phase
In the Run Phase, you're preventing and detecting breaches trying to access your production assets, network workloads, identities, and data. Prisma Cloud can help your organization’s security professionals detect, analyze, and remediate the common issues that appear in live environments, which range from crypto-jacking, where someone uses your Cloud resources to do crypto mining, to ransomware.
The Run phase’s security should not depend on only daily and infrequent scans. Daily scans can miss costly breaches and malware that is gone by the time abnormal behavior is detected. In a modern production environment, ephemeral cloud resources might only exist for minutes or hours, so it's essential to have a solution that continuously monitors and looks for vulnerabilities and attacks while the resources are active.
Prisma Cloud secures your runtime environment using predictive and threat-based protections. It can run and deliver results in near real-time, 24/7/365, eliminating the missed spots from when your resources were checked only once or twice a day. Your security personnel can be notified and start working on threats within minutes, saving time and money at scale.
By continuously monitoring your runtime environments, Prisma Cloud goes beyond protecting you from known vulnerabilities and can detect the suspicious behavior of a zero-day vulnerability. Using our machine-learning models based on what is normal for your resources - if behavior deviates from the norm and is malicious, you will be alerted and able to act quickly.
Prisma Cloud uses Palo Alto Wildfire to detect previously unseen targeted malware and advanced persistent threats. And best of all, we bring the resources and research from our world-renowned Unit 42 Security Group to help protect your runtime environment.
Prisma Cloud can identify and remediate issues to secure your assets with the following capabilities:
Cloud compliance comprises the procedures that ensure that your cloud environment complies with your governance rule. When you build a compliant cloud environment, your environment conforms to one or more specific sets of security and privacy standards. Some common compliance frameworks include PCI DSS, GDPR, FedRAMP, and various versions of NIST.
Prisma Cloud has you covered and comes with over 20 of the most commonly used compliance frameworks for use out-of-the-box, and you can tailor and create your own rules and policies for your organization’s specific needs, making it simple to set up and maintain compliance.
You can also view, assess, report, monitor, and create reports that contain summary and detailed findings of security and compliance risks in your cloud environment on one or more cloud accounts and review your cloud infrastructure's health and compliance posture.
Figure 2- The Prisma Cloud Compliance Overview screen includes a line graph to the left showing the number of resources that exist, have failed, and passed on a monthly timeline. There is also a bar graph on the right that shows compliance coverage based on compliance frameworks.
The Compliance Overview screen allows you to assess your compliance trends and coverage over time at a glance.
WAAS enhances the traditional Web Application Firewall (WAF) protection model by deploying closer to the application, efficiently scaling up or down, and allowing for inspection of "internal" traffic (east-to-west) from other microservices as well as inbound traffic (north-to-south).
Prisma Cloud supports both inline and out-of-band WAAS, which you can use on your hosts and containers. Inline WAAS offers more protection and features at the cost of using more resources in your cloud. Out-of-band WAAS allows you to run your production loads unchanged, with the WAAS monitoring done elsewhere in your network.
Prisma Cloud WAAS can block new zero-day attacks as soon as they are identified without waiting for modified applications.
Some Highlights of WAAS’s capabilities are:
Figure 3- Prisma Cloud’s WAAS Explorer dashboard in Prisma Cloud
There are four graphs:
Runtime security is a vast set of features that protect containers and threat-based active protection for running containers, hosts and serverless functions. Threat-based protection includes capabilities like detecting when malware is added to a workload or when a workload connects to a botnet - all in real time.
With Prisma Cloud, you can use both agent-based and agentless-based runtime defense and security separately or simultaneously. Agent-based can block threats in real-time, such as crypto mining and malicious code but is more resource intensive. With limited resources, agentless scanning can cover your entire cloud without deploying agents on every host. With both agent-based and agentless scanning, you can use Prisma Cloud to detect changes to the file system, network, and process activity, with each sensor having its own set of rules and alerting - keeping you protected no matter the number of resources you have available.
In the Run phase, data security is crucial for preventing leaks of personally identifiable information (PII) and sensitive data that may have been overlooked. With so many resources being run on your workloads, it is difficult to scan and ensure that none of them have potentially exposed data.
Prisma Cloud has 600 data profiles & patterns out of the box and is customizable for your organization’s use cases. For example, you can set various roles at your organization to only see the data masked. This provides your organization with the principle of least privilege, ensuring that only authorized users can access sensitive data.
With faster development and release times come new technologies and challenges. Instead of relying on past methods that only scan and monitor once or twice daily, teams need real-time coverage of resources that can scale. Prisma Cloud can scale to meet these needs with automation and customizable tools that cover you from Compliance and Reporting to Runtime Security and WAAS.
